Quick response (QR) codes have significantly redefined how individuals consume marketing and sales information. With the rapid endorsement of QR codes, consumers no longer have to type in a resource link. Now, QR codes can be on a menu, wall, flyer, or billboard, capable of facilitating 7089 letters and 0.8inches by 0.8inches in size, a consumer can scan a digitized representation of their assumed content, directing their browser to the endpoint. QR codes ‌make things faster and more convenient. Marketing associates can now whisk consumers away to any content they want to communicate with a scan and click. Providing such a direct vector of consumption invites malicious actors to take advantage. When considering the “CIA Triad,” with such a drastic increase in availability, QR codes give up ground in integrity.

In 1995, the Japanese began implementing QR codes into everyday business operations (Brindha and Gopikaarani, 2014). Since then, QR code technology has grown‌ immensely, devouring entire marketing strategies and how an ordinary user engages digital content. From the simple beginnings of tracking predominantly motor vehicle parts inventory to today, advertising a crypto exchange during Super Bowl LVI (56), the applications of QR code technology are rapidly expanding. QR code technology has effectively transformed the average consumer mobile device into a scannable content delivery system. A generic user with a cellphone can now access what once required factory-specific instrumentation. Contemporary software packages for Android, Apple, Google, Microsoft, etc. devices have openly adopted the technology. By employing the camera of a device, a client can consume whatever sits on that server.

As with many technological advancements, QR codes are responsible for a new threat vector security-conscious professionals and practitioners must now mitigate against. Drive-by-infection is now as simple as scanning the wrong QR code from a malicious attacker. Through the use of QR codes, an attacker could deliver and read content to and from a user’s mobile device. Consider the act of scanning a QR code on a t-shirt; harmless as it seems, you are presented with a link that displays t-shirts along with purchase data input. You receive your order in the mail, and everything is terrific. It is the simplicity of the interaction vector that gives malicious actors an unmistakable attack angle.

As with most threat vectors, training in both awareness and identification is necessary to prevent the thoughtless consumption of a tainted resource. Mitigating methods include installing screener applications that provide a preview before presenting the content, avoiding QR code stickers informally placed on (surfaces, posters, doors, etc.), updating browser software to the current stable version, and mobile antivirus applications. No matter the level of security your business task requires acknowledging and accepting these mitigating postures is a must. Indifferent to which security framework you implement during the system hardening process (NIST 800–53, PCI DSS, HIPAA, or SOC-2, etc.), awareness training and active avoidance are both essential.

References:

Brindha, G. & Gopikaarani, N, 2014. Secure banking using QR code.

Ham, Jeroen Van Der. “Toward a better understanding of “Cybersecurity”.” Digital Threats: Research and Practice 2.3 (2021): 1–3.

Soon, Tan Jin. “QR code.” synthesis journal 2008 (2008): 59–78.

Baselines:

Center for Internet Security’s CIS Benchmarks

US Department of Defense Systems Agency (DISA) Security Technical Implementation Guides (STIG)